Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread TsungWei Hu 
Thanks.

The vulnerability report was originally generated by 'Foundstone Enterprise'
product on July 2. I was told the license for this product expired that now
I can not know the exact product version. Anyway, glad to see this fixed.

/marr/

On Sat, Jul 25, 2009 at 3:35 AM,  wrote:

> Yes.  We are going through our check database and changing the text of any
> "Do not use zope because of X" statements we find to "update zope to version
> X which fixes this issue", which is what it should have been originally.
>  The Foundstone vulnerability management product is intended to help
> customers fix existing issues in their infrastructure, not to make judgment
> calls on their choice of deployed software.
>
> -Original Message-
> From: Chris McDonough [mailto:chr...@plope.com]
> Sent: Friday, July 24, 2009 12:05 PM
> To: Permeh, Ryan
> Cc: zope@zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Thanks Ryan!
>
> Were you also able (willing?) to take out the advice to not use Zope in the
> text?  I assume that text shows up whenever a Zope-related vulnerability is
> encountered by the scanner.
>
> - C
>
> On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote:
> > Ok, the final analysis is as follows:
> >
> > We had an incorrect version regex that matched 2.10 the same as 2.1.
>  This issue seems to only affect zope version 2.0 through 2.5.01.  This lead
> to the vulnerability showing up with recent versions of zope being scanned.
> >
> > We are fixing both the regex and the suggested fix.  The new suggested
> fix will be to update to the appropriate version of zope (in this case, post
> 2.5.01), not to replace it with something else.  This fix should be updated
> within the next week or so.
> >
> > If you have any further questions pertaining to McAfee (or Foundstone)
> security reports, please feel free to contact me directly, or via
> secur...@mcafee.com.  I am not a full time member of this list, so I may
> not see any replies or questions made only to the list.
> >
> >
> > -Original Message-
> > From: Permeh, Ryan
> > Sent: Friday, July 24, 2009 9:53 AM
> > To: li...@zopyx.com
> > Cc: zope@zope.org
> > Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
> >
> > It is not related the specified hotfix.  I'm getting details now, but
> this is how it seems:
> > 1. this is from the Foundstone product, not a public advisory.  The
> Foundstone product is a vulnerability scanner, and it seems that it feels
> that the original poster's site is vulnerable to the stated issue.
> > 2. The vulnerability check was written and published in 2002.
> > 3. I am looking into details regarding both what the details of this
> issue originally were, and what we look for to trigger it's existence.
> >
> > This leads to a couple observations.
> >
> > 1.  This is likely a false positive, unless the original poster was
> running ridiculously old software.
> > 2. We will fix the check logic or remove the check entirely.  Checks this
> old rarely add much value to the product
> > 3. In any case, if the check stays, we will update the text.  I'm not
> sure who wrote the original text in 2002, but it obviously doesn't apply
> now.
> >
> >
> > -Original Message-
> > From: Andreas Jung [mailto:li...@zopyx.com]
> > Sent: Friday, July 24, 2009 9:43 AM
> > To: Permeh, Ryan
> > Cc: zope@zope.org
> > Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
> >
> > Hi,
> >
> >
> >
> >
> > On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
> >> I manage product security at McAfee, of which Foundstone is a part.  I
> am not aware of releasing such an advisory, and am looking into this.  Could
> we get details regarding where this was found?  Was this posted to a web
> site?  A security mailing list?  And when was it posted?  This may have a
> very different meaning if it was published in 2001 or something like that.
>  Alternately, Foundstone produces a vulnerability management software, was
> this in a report generated by that product?
> >>
> >>
> > I have no idea what you are talking about.
> >
> > We had this strange mail thread this week:
> >
> > http://mail.zope.org/pipermail/zope/2009-July/175308.html
> >
> > related to this hotfix
> >
> > http://www.zope.org/Products/Zope/Hotfix-2008-08-12
> >
> > Now how is this related to " HTTP Request Denial of Service
> Vulnerability" ???
> >
> > I can not find anything related to the su

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh 
Yes.  We are going through our check database and changing the text of any "Do 
not use zope because of X" statements we find to "update zope to version X 
which fixes this issue", which is what it should have been originally.  The 
Foundstone vulnerability management product is intended to help customers fix 
existing issues in their infrastructure, not to make judgment calls on their 
choice of deployed software.

-Original Message-
From: Chris McDonough [mailto:chr...@plope.com] 
Sent: Friday, July 24, 2009 12:05 PM
To: Permeh, Ryan
Cc: zope@zope.org
Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability

Thanks Ryan!

Were you also able (willing?) to take out the advice to not use Zope in the 
text?  I assume that text shows up whenever a Zope-related vulnerability is 
encountered by the scanner.

- C

On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote:
> Ok, the final analysis is as follows:
>
> We had an incorrect version regex that matched 2.10 the same as 2.1.  This 
> issue seems to only affect zope version 2.0 through 2.5.01.  This lead to the 
> vulnerability showing up with recent versions of zope being scanned.
>
> We are fixing both the regex and the suggested fix.  The new suggested fix 
> will be to update to the appropriate version of zope (in this case, post 
> 2.5.01), not to replace it with something else.  This fix should be updated 
> within the next week or so.
>
> If you have any further questions pertaining to McAfee (or Foundstone) 
> security reports, please feel free to contact me directly, or via 
> secur...@mcafee.com.  I am not a full time member of this list, so I may not 
> see any replies or questions made only to the list.
>
>
> -Original Message-
> From: Permeh, Ryan
> Sent: Friday, July 24, 2009 9:53 AM
> To: li...@zopyx.com
> Cc: zope@zope.org
> Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
>
> It is not related the specified hotfix.  I'm getting details now, but this is 
> how it seems:
> 1. this is from the Foundstone product, not a public advisory.  The 
> Foundstone product is a vulnerability scanner, and it seems that it feels 
> that the original poster's site is vulnerable to the stated issue.
> 2. The vulnerability check was written and published in 2002.
> 3. I am looking into details regarding both what the details of this issue 
> originally were, and what we look for to trigger it's existence.
>
> This leads to a couple observations.
>
> 1.  This is likely a false positive, unless the original poster was running 
> ridiculously old software.
> 2. We will fix the check logic or remove the check entirely.  Checks this old 
> rarely add much value to the product
> 3. In any case, if the check stays, we will update the text.  I'm not sure 
> who wrote the original text in 2002, but it obviously doesn't apply now.
>
>
> -Original Message-
> From: Andreas Jung [mailto:li...@zopyx.com]
> Sent: Friday, July 24, 2009 9:43 AM
> To: Permeh, Ryan
> Cc: zope@zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Hi,
>
>
>
>
> On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
>> I manage product security at McAfee, of which Foundstone is a part.  I am 
>> not aware of releasing such an advisory, and am looking into this.  Could we 
>> get details regarding where this was found?  Was this posted to a web site?  
>> A security mailing list?  And when was it posted?  This may have a very 
>> different meaning if it was published in 2001 or something like that.  
>> Alternately, Foundstone produces a vulnerability management software, was 
>> this in a report generated by that product?
>>
>>
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service Vulnerability" ???
>
> I can not find anything related to the subject within the list of our 
> hotfixes (which is pretty small since 2000):
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>   http://mail.zope.org/mailman/listinfo/zope-announce
>   http://mail.zope.org/mailman/listinfo/zope-dev )
>

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Chris McDonough 
Thanks Ryan!

Were you also able (willing?) to take out the advice to not use Zope in the 
text?  I assume that text shows up whenever a Zope-related vulnerability is 
encountered by the scanner.

- C

On 7/24/09 1:15 PM, ryan_per...@mcafee.com wrote:
> Ok, the final analysis is as follows:
>
> We had an incorrect version regex that matched 2.10 the same as 2.1.  This 
> issue seems to only affect zope version 2.0 through 2.5.01.  This lead to the 
> vulnerability showing up with recent versions of zope being scanned.
>
> We are fixing both the regex and the suggested fix.  The new suggested fix 
> will be to update to the appropriate version of zope (in this case, post 
> 2.5.01), not to replace it with something else.  This fix should be updated 
> within the next week or so.
>
> If you have any further questions pertaining to McAfee (or Foundstone) 
> security reports, please feel free to contact me directly, or via 
> secur...@mcafee.com.  I am not a full time member of this list, so I may not 
> see any replies or questions made only to the list.
>
>
> -Original Message-
> From: Permeh, Ryan
> Sent: Friday, July 24, 2009 9:53 AM
> To: li...@zopyx.com
> Cc: zope@zope.org
> Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
>
> It is not related the specified hotfix.  I'm getting details now, but this is 
> how it seems:
> 1. this is from the Foundstone product, not a public advisory.  The 
> Foundstone product is a vulnerability scanner, and it seems that it feels 
> that the original poster's site is vulnerable to the stated issue.
> 2. The vulnerability check was written and published in 2002.
> 3. I am looking into details regarding both what the details of this issue 
> originally were, and what we look for to trigger it's existence.
>
> This leads to a couple observations.
>
> 1.  This is likely a false positive, unless the original poster was running 
> ridiculously old software.
> 2. We will fix the check logic or remove the check entirely.  Checks this old 
> rarely add much value to the product
> 3. In any case, if the check stays, we will update the text.  I'm not sure 
> who wrote the original text in 2002, but it obviously doesn't apply now.
>
>
> -Original Message-
> From: Andreas Jung [mailto:li...@zopyx.com]
> Sent: Friday, July 24, 2009 9:43 AM
> To: Permeh, Ryan
> Cc: zope@zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Hi,
>
>
>
>
> On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
>> I manage product security at McAfee, of which Foundstone is a part.  I am 
>> not aware of releasing such an advisory, and am looking into this.  Could we 
>> get details regarding where this was found?  Was this posted to a web site?  
>> A security mailing list?  And when was it posted?  This may have a very 
>> different meaning if it was published in 2001 or something like that.  
>> Alternately, Foundstone produces a vulnerability management software, was 
>> this in a report generated by that product?
>>
>>
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service Vulnerability" ???
>
> I can not find anything related to the subject within the list of our 
> hotfixes (which is pretty small since 2000):
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>   http://mail.zope.org/mailman/listinfo/zope-announce
>   http://mail.zope.org/mailman/listinfo/zope-dev )
>

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ricardo Newbery 
Ryan,

Thanks for the quick work on resolving this.  :-)

Ric



On Jul 24, 2009, at 10:15 AM,  wrote:

> Ok, the final analysis is as follows:
>
> We had an incorrect version regex that matched 2.10 the same as  
> 2.1.  This issue seems to only affect zope version 2.0 through  
> 2.5.01.  This lead to the vulnerability showing up with recent  
> versions of zope being scanned.
>
> We are fixing both the regex and the suggested fix.  The new  
> suggested fix will be to update to the appropriate version of zope  
> (in this case, post 2.5.01), not to replace it with something else.   
> This fix should be updated within the next week or so.
>
> If you have any further questions pertaining to McAfee (or  
> Foundstone) security reports, please feel free to contact me  
> directly, or via secur...@mcafee.com.  I am not a full time member  
> of this list, so I may not see any replies or questions made only to  
> the list.
>
>
> -Original Message-
> From: Permeh, Ryan
> Sent: Friday, July 24, 2009 9:53 AM
> To: li...@zopyx.com
> Cc: zope@zope.org
> Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
>
> It is not related the specified hotfix.  I'm getting details now,  
> but this is how it seems:
> 1. this is from the Foundstone product, not a public advisory.  The  
> Foundstone product is a vulnerability scanner, and it seems that it  
> feels that the original poster's site is vulnerable to the stated  
> issue.
> 2. The vulnerability check was written and published in 2002.
> 3. I am looking into details regarding both what the details of this  
> issue originally were, and what we look for to trigger it's existence.
>
> This leads to a couple observations.
>
> 1.  This is likely a false positive, unless the original poster was  
> running ridiculously old software.
> 2. We will fix the check logic or remove the check entirely.  Checks  
> this old rarely add much value to the product
> 3. In any case, if the check stays, we will update the text.  I'm  
> not sure who wrote the original text in 2002, but it obviously  
> doesn't apply now.
>
>
> -----Original Message-----
> From: Andreas Jung [mailto:li...@zopyx.com]
> Sent: Friday, July 24, 2009 9:43 AM
> To: Permeh, Ryan
> Cc: zope@zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Hi,
>
>
>
>
> On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
>> I manage product security at McAfee, of which Foundstone is a  
>> part.  I am not aware of releasing such an advisory, and am looking  
>> into this.  Could we get details regarding where this was found?   
>> Was this posted to a web site?  A security mailing list?  And when  
>> was it posted?  This may have a very different meaning if it was  
>> published in 2001 or something like that.  Alternately, Foundstone  
>> produces a vulnerability management software, was this in a report  
>> generated by that product?
>>
>>
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service  
> Vulnerability" ???
>
> I can not find anything related to the subject within the list of  
> our hotfixes (which is pretty small since 2000):
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh 
It should be noted that doing this may make it less likely for a general 
purpose automated scanner like Foundstone (or Nessus or any vulnerability 
scanner) from finding your deployment, but it does not fix the app from the 
issue that the scanner was checking for.  This may or may not be an appropriate 
action, depending on your environment.  "Good Guy" scanners like our product 
usually have to try to determine if a site is vulnerable in non-intrusive ways, 
such as checking banners.  Bad guys scanners often send the exploit regardless 
of version.  They have no problem causing damage by sending potentially 
dangerous inputs to your application.  By changing the banner, you may be 
preventing good guys from seeing the issue and attempting to fix the issue 
without preventing bad guys from exploiting the issue.

In any case, since this was done in 2002, it's unlikely the specific issue in 
question is very relevant on either side.

-Original Message-
From: Andreas Jung [mailto:li...@zopyx.com] 
Sent: Friday, July 24, 2009 10:22 AM
To: Permeh, Ryan
Cc: zope@zope.org
Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability

That's why I usually override the Server: HTTP header from within my Zope apps 
for public sites running on Zope :-)

Andreas

On 24.07.09 19:15, ryan_per...@mcafee.com wrote:
> Ok, the final analysis is as follows:
>
> We had an incorrect version regex that matched 2.10 the same as 2.1.  This 
> issue seems to only affect zope version 2.0 through 2.5.01.  This lead to the 
> vulnerability showing up with recent versions of zope being scanned.
>
> We are fixing both the regex and the suggested fix.  The new suggested fix 
> will be to update to the appropriate version of zope (in this case, post 
> 2.5.01), not to replace it with something else.  This fix should be updated 
> within the next week or so.
>
> If you have any further questions pertaining to McAfee (or Foundstone) 
> security reports, please feel free to contact me directly, or via 
> secur...@mcafee.com.  I am not a full time member of this list, so I may not 
> see any replies or questions made only to the list.
>
>
> -Original Message-
> From: Permeh, Ryan
> Sent: Friday, July 24, 2009 9:53 AM
> To: li...@zopyx.com
> Cc: zope@zope.org
> Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
>
> It is not related the specified hotfix.  I'm getting details now, but this is 
> how it seems:
> 1. this is from the Foundstone product, not a public advisory.  The 
> Foundstone product is a vulnerability scanner, and it seems that it feels 
> that the original poster's site is vulnerable to the stated issue.
> 2. The vulnerability check was written and published in 2002.  
> 3. I am looking into details regarding both what the details of this issue 
> originally were, and what we look for to trigger it's existence.
>
> This leads to a couple observations.
>
> 1.  This is likely a false positive, unless the original poster was running 
> ridiculously old software.  
> 2. We will fix the check logic or remove the check entirely.  Checks 
> this old rarely add much value to the product 3. In any case, if the check 
> stays, we will update the text.  I'm not sure who wrote the original text in 
> 2002, but it obviously doesn't apply now.
>
>
> -Original Message-
> From: Andreas Jung [mailto:li...@zopyx.com]
> Sent: Friday, July 24, 2009 9:43 AM
> To: Permeh, Ryan
> Cc: zope@zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Hi,
>
>
>
>
> On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
>   
>> I manage product security at McAfee, of which Foundstone is a part.  I am 
>> not aware of releasing such an advisory, and am looking into this.  Could we 
>> get details regarding where this was found?  Was this posted to a web site?  
>> A security mailing list?  And when was it posted?  This may have a very 
>> different meaning if it was published in 2001 or something like that.  
>> Alternately, Foundstone produces a vulnerability management software, was 
>> this in a report generated by that product?  
>>
>>   
>> 
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service Vulnerability" ???
>
> I can not find anything related to the subject within the list of our 
> hotfixes (which is pretty small since 2000):
>
> ___
> Zope maillist  -  Zope@zope

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andreas Jung 
That's why I usually override the Server: HTTP header from within my
Zope apps
for public sites running on Zope :-)

Andreas

On 24.07.09 19:15, ryan_per...@mcafee.com wrote:
> Ok, the final analysis is as follows:
>
> We had an incorrect version regex that matched 2.10 the same as 2.1.  This 
> issue seems to only affect zope version 2.0 through 2.5.01.  This lead to the 
> vulnerability showing up with recent versions of zope being scanned.
>
> We are fixing both the regex and the suggested fix.  The new suggested fix 
> will be to update to the appropriate version of zope (in this case, post 
> 2.5.01), not to replace it with something else.  This fix should be updated 
> within the next week or so.
>
> If you have any further questions pertaining to McAfee (or Foundstone) 
> security reports, please feel free to contact me directly, or via 
> secur...@mcafee.com.  I am not a full time member of this list, so I may not 
> see any replies or questions made only to the list.
>
>
> -Original Message-
> From: Permeh, Ryan 
> Sent: Friday, July 24, 2009 9:53 AM
> To: li...@zopyx.com
> Cc: zope@zope.org
> Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability
>
> It is not related the specified hotfix.  I'm getting details now, but this is 
> how it seems:
> 1. this is from the Foundstone product, not a public advisory.  The 
> Foundstone product is a vulnerability scanner, and it seems that it feels 
> that the original poster's site is vulnerable to the stated issue.
> 2. The vulnerability check was written and published in 2002.  
> 3. I am looking into details regarding both what the details of this issue 
> originally were, and what we look for to trigger it's existence.
>
> This leads to a couple observations.
>
> 1.  This is likely a false positive, unless the original poster was running 
> ridiculously old software.  
> 2. We will fix the check logic or remove the check entirely.  Checks this old 
> rarely add much value to the product
> 3. In any case, if the check stays, we will update the text.  I'm not sure 
> who wrote the original text in 2002, but it obviously doesn't apply now.  
>
>
> -----Original Message-----
> From: Andreas Jung [mailto:li...@zopyx.com] 
> Sent: Friday, July 24, 2009 9:43 AM
> To: Permeh, Ryan
> Cc: zope@zope.org
> Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability
>
> Hi,
>
>
>
>
> On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
>   
>> I manage product security at McAfee, of which Foundstone is a part.  I am 
>> not aware of releasing such an advisory, and am looking into this.  Could we 
>> get details regarding where this was found?  Was this posted to a web site?  
>> A security mailing list?  And when was it posted?  This may have a very 
>> different meaning if it was published in 2001 or something like that.  
>> Alternately, Foundstone produces a vulnerability management software, was 
>> this in a report generated by that product?  
>>
>>   
>> 
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service Vulnerability" ???
>
> I can not find anything related to the subject within the list of our 
> hotfixes (which is pretty small since 2000):
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>   


-- 
ZOPYX Ltd. & Co KG  \  ZOPYX & Friends
Charlottenstr. 37/1  \  The experts for your Python, Zope and
D-72070 Tübingen  \  Plone projects
www.zopyx.com, i...@zopyx.com  \  www.zopyx.de/friends, frie...@zopyx.de

E-Publishing, Python, Zope & Plone development, Consulting


begin:vcard
fn:Andreas Jung
n:Jung;Andreas
org:ZOPYX Ltd. & Co. KG
adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany
email;internet:i...@zopyx.com
title:CEO
tel;work:+49-7071-793376
tel;fax:+49-7071-7936840
tel;home:+49-7071-793257
x-mozilla-html:FALSE
url:www.zopyx.com
version:2.1
end:vcard

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh 
Ok, the final analysis is as follows:

We had an incorrect version regex that matched 2.10 the same as 2.1.  This 
issue seems to only affect zope version 2.0 through 2.5.01.  This lead to the 
vulnerability showing up with recent versions of zope being scanned.

We are fixing both the regex and the suggested fix.  The new suggested fix will 
be to update to the appropriate version of zope (in this case, post 2.5.01), 
not to replace it with something else.  This fix should be updated within the 
next week or so.

If you have any further questions pertaining to McAfee (or Foundstone) security 
reports, please feel free to contact me directly, or via secur...@mcafee.com.  
I am not a full time member of this list, so I may not see any replies or 
questions made only to the list.


-Original Message-
From: Permeh, Ryan 
Sent: Friday, July 24, 2009 9:53 AM
To: li...@zopyx.com
Cc: zope@zope.org
Subject: RE: [Zope] HTTP Request Denial of Service Vulnerability

It is not related the specified hotfix.  I'm getting details now, but this is 
how it seems:
1. this is from the Foundstone product, not a public advisory.  The Foundstone 
product is a vulnerability scanner, and it seems that it feels that the 
original poster's site is vulnerable to the stated issue.
2. The vulnerability check was written and published in 2002.  
3. I am looking into details regarding both what the details of this issue 
originally were, and what we look for to trigger it's existence.

This leads to a couple observations.

1.  This is likely a false positive, unless the original poster was running 
ridiculously old software.  
2. We will fix the check logic or remove the check entirely.  Checks this old 
rarely add much value to the product
3. In any case, if the check stays, we will update the text.  I'm not sure who 
wrote the original text in 2002, but it obviously doesn't apply now.  


-Original Message-
From: Andreas Jung [mailto:li...@zopyx.com] 
Sent: Friday, July 24, 2009 9:43 AM
To: Permeh, Ryan
Cc: zope@zope.org
Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability

Hi,




On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
> I manage product security at McAfee, of which Foundstone is a part.  I am not 
> aware of releasing such an advisory, and am looking into this.  Could we get 
> details regarding where this was found?  Was this posted to a web site?  A 
> security mailing list?  And when was it posted?  This may have a very 
> different meaning if it was published in 2001 or something like that.  
> Alternately, Foundstone produces a vulnerability management software, was 
> this in a report generated by that product?  
>
>   
I have no idea what you are talking about.

We had this strange mail thread this week:

http://mail.zope.org/pipermail/zope/2009-July/175308.html

related to this hotfix

http://www.zope.org/Products/Zope/Hotfix-2008-08-12

Now how is this related to " HTTP Request Denial of Service Vulnerability" ???

I can not find anything related to the subject within the list of our hotfixes 
(which is pretty small since 2000):

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andrew Milton 
+---[ ryan_per...@mcafee.com ]--
|
| 1.  This is likely a false positive, unless the original poster was running 
ridiculously old software.  

Ridiculously old software is not outside the realms of probability

-- 
Andrew Milton
a...@theinternet.com.au
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Ryan_Permeh 
It is not related the specified hotfix.  I'm getting details now, but this is 
how it seems:
1. this is from the Foundstone product, not a public advisory.  The Foundstone 
product is a vulnerability scanner, and it seems that it feels that the 
original poster's site is vulnerable to the stated issue.
2. The vulnerability check was written and published in 2002.  
3. I am looking into details regarding both what the details of this issue 
originally were, and what we look for to trigger it's existence.

This leads to a couple observations.

1.  This is likely a false positive, unless the original poster was running 
ridiculously old software.  
2. We will fix the check logic or remove the check entirely.  Checks this old 
rarely add much value to the product
3. In any case, if the check stays, we will update the text.  I'm not sure who 
wrote the original text in 2002, but it obviously doesn't apply now.  


-Original Message-
From: Andreas Jung [mailto:li...@zopyx.com] 
Sent: Friday, July 24, 2009 9:43 AM
To: Permeh, Ryan
Cc: zope@zope.org
Subject: Re: [Zope] HTTP Request Denial of Service Vulnerability

Hi,




On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
> I manage product security at McAfee, of which Foundstone is a part.  I am not 
> aware of releasing such an advisory, and am looking into this.  Could we get 
> details regarding where this was found?  Was this posted to a web site?  A 
> security mailing list?  And when was it posted?  This may have a very 
> different meaning if it was published in 2001 or something like that.  
> Alternately, Foundstone produces a vulnerability management software, was 
> this in a report generated by that product?  
>
>   
I have no idea what you are talking about.

We had this strange mail thread this week:

http://mail.zope.org/pipermail/zope/2009-July/175308.html

related to this hotfix

http://www.zope.org/Products/Zope/Hotfix-2008-08-12

Now how is this related to " HTTP Request Denial of Service Vulnerability" ???

I can not find anything related to the subject within the list of our hotfixes 
(which is pretty small since 2000):

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andreas Jung 
On 24.07.09 18:43, Andreas Jung wrote:
> Hi,
>
>
>
>
> On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
>   
>> I manage product security at McAfee, of which Foundstone is a part.  I am 
>> not aware of releasing such an advisory, and am looking into this.  Could we 
>> get details regarding where this was found?  Was this posted to a web site?  
>> A security mailing list?  And when was it posted?  This may have a very 
>> different meaning if it was published in 2001 or something like that.  
>> Alternately, Foundstone produces a vulnerability management software, was 
>> this in a report generated by that product?  
>>
>>   
>> 
> I have no idea what you are talking about.
>
> We had this strange mail thread this week:
>
> http://mail.zope.org/pipermail/zope/2009-July/175308.html
>
> related to this hotfix
>
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12
>
> Now how is this related to " HTTP Request Denial of Service
> Vulnerability" ???
>
> I can not find anything related to the subject within the list of our
> hotfixes (which is pretty small since 2000):
>
>   
Sorry, I pressed the send button to early.

http://www.zope.org/Products/

So what is this discussion all about? What has Mcafee to do with this
issue?!

Andreas Jung
Zope 2 Release Manager


-- 
ZOPYX Ltd. & Co KG  \  ZOPYX & Friends
Charlottenstr. 37/1  \  The experts for your Python, Zope and
D-72070 Tübingen  \  Plone projects
www.zopyx.com, i...@zopyx.com  \  www.zopyx.de/friends, frie...@zopyx.de

E-Publishing, Python, Zope & Plone development, Consulting


begin:vcard
fn:Andreas Jung
n:Jung;Andreas
org:ZOPYX Ltd. & Co. KG
adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany
email;internet:i...@zopyx.com
title:CEO
tel;work:+49-7071-793376
tel;fax:+49-7071-7936840
tel;home:+49-7071-793257
x-mozilla-html:FALSE
url:www.zopyx.com
version:2.1
end:vcard

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-24 Thread Andreas Jung 
Hi,




On 24.07.09 18:24, ryan_per...@mcafee.com wrote:
> I manage product security at McAfee, of which Foundstone is a part.  I am not 
> aware of releasing such an advisory, and am looking into this.  Could we get 
> details regarding where this was found?  Was this posted to a web site?  A 
> security mailing list?  And when was it posted?  This may have a very 
> different meaning if it was published in 2001 or something like that.  
> Alternately, Foundstone produces a vulnerability management software, was 
> this in a report generated by that product?  
>
>   
I have no idea what you are talking about.

We had this strange mail thread this week:

http://mail.zope.org/pipermail/zope/2009-July/175308.html

related to this hotfix

http://www.zope.org/Products/Zope/Hotfix-2008-08-12

Now how is this related to " HTTP Request Denial of Service
Vulnerability" ???

I can not find anything related to the subject within the list of our
hotfixes (which is pretty small since 2000):

begin:vcard
fn:Andreas Jung
n:Jung;Andreas
org:ZOPYX Ltd. & Co. KG
adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany
email;internet:i...@zopyx.com
title:CEO
tel;work:+49-7071-793376
tel;fax:+49-7071-7936840
tel;home:+49-7071-793257
x-mozilla-html:FALSE
url:www.zopyx.com
version:2.1
end:vcard

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-21 Thread Ricardo Newbery 

On Jul 19, 2009, at 11:04 PM, TsungWei Hu wrote:

> The observation and recommendation is specifically generated by  
> Foundstone Labs' software.
> It's my fault to suggest that might be related to Hotfix-2008-08-12.
> From my side, I will try to stop improper information from  
> Foundstone lab.
>
> Thanks, marr


Which Foundstone software/service generated this bogus advisory?   
Details please.

Ric


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread TsungWei Hu 
The observation and recommendation is specifically generated by Foundstone
Labs' software.
It's my fault to suggest that might be related to Hotfix-2008-08-12.
>From my side, I will try to stop improper information from Foundstone lab.

Thanks, marr

On Mon, Jul 20, 2009 at 12:20 PM, Andreas Jung  wrote:

> On 20.07.09 04:06, TsungWei Hu wrote:
> > I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> > security notice as follows. Is it sufficient to fix this just
> > installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ?
> > Thanks, /marr/
> >
> >
> > Although the Zope development environment is one of the largest and
> > most widely supported open source web content management solutions, it
> > has been plagued with exploitable vulnerabilities. Due to the nature
> > of the software and shear number of vulnerabilities, Foundstone Labs
> > recommends you consider utilizing a different content management
> > solution and at a minimum upgrade your software. Zope updates can be
> > freely downloaded from www.zope.org 
>
> TsungWei, with respect but you are telling barely nonsense. The
> mentioned issue only affected
> sites where managers gave ZMI access to untrusted users. So this issue
> is of limited importance.
> In addition it has been fixed within less than one day (compare this to
> other systems).
> In addition: Zope is an application server, not a CMS. Also: compare the
> number of critical
> bugs within Zope to other systems.
>
> ZOPE IS VERY SECURE.
>
> So please stop with such postings spreading FUD and containing improper
> information.
>
> Andreas Jung
> Zope 2 Release Manager
>
>
>
>
>
>
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Andrew Milton 
+---[ Chris McDonough ]--
| This may be true.  However, I notice that whomever makes the Foundstone 
website 
| can't spell either ("Costumer" for "Customer" in the "How you found out about 
| us" dropdown). ;-)  So... guilty till proven innocent as far as I'm concerned.

Don't blame me, I'm not the costumer involved...

-- 
Andrew Milton
a...@theinternet.com.au
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Andreas Jung 
On 20.07.09 04:06, TsungWei Hu wrote:
> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> security notice as follows. Is it sufficient to fix this just
> installing http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ?
> Thanks, /marr/
>
>
> Although the Zope development environment is one of the largest and
> most widely supported open source web content management solutions, it
> has been plagued with exploitable vulnerabilities. Due to the nature
> of the software and shear number of vulnerabilities, Foundstone Labs
> recommends you consider utilizing a different content management
> solution and at a minimum upgrade your software. Zope updates can be
> freely downloaded from www.zope.org 

TsungWei, with respect but you are telling barely nonsense. The
mentioned issue only affected
sites where managers gave ZMI access to untrusted users. So this issue
is of limited importance.
In addition it has been fixed within less than one day (compare this to
other systems).
In addition: Zope is an application server, not a CMS. Also: compare the
number of critical
bugs within Zope to other systems.

ZOPE IS VERY SECURE.

So please stop with such postings spreading FUD and containing improper
information.

Andreas Jung
Zope 2 Release Manager





begin:vcard
fn:Andreas Jung
n:Jung;Andreas
org:ZOPYX Ltd. & Co. KG
adr;quoted-printable:;;Charlottenstr. 37/1;T=C3=BCbingen;;72070;Germany
email;internet:i...@zopyx.com
title:CEO
tel;work:+49-7071-793376
tel;fax:+49-7071-7936840
tel;home:+49-7071-793257
x-mozilla-html:FALSE
url:www.zopyx.com
version:2.1
end:vcard

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Chris McDonough 
This may be true.  However, I notice that whomever makes the Foundstone website 
can't spell either ("Costumer" for "Customer" in the "How you found out about 
us" dropdown). ;-)  So... guilty till proven innocent as far as I'm concerned.

- C

On 7/19/09 11:45 PM, Ricardo Newbery wrote:
>
> It might be premature to blame this on Foundstone. I can't seem to find
> this security advisory online at all. No advisory id was included nor
> any reference at all and the recommendation doesn't look at all like
> what usually comes from a legit advisory. I smeil a fake.
>
> Ric
>
>
>
> On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote:
>
>> I just sent the below via
>> http://www.foundstone.com/us/contact-form.aspx . I'd
>> suggest that others do the same; this company is totally wrong about this
>> conclusion...
>>
>> You recently issued a security warning to the effect:
>>
>> """
>> = Name =
>>
>> Zope HTTP Request Denial of Service Vulnerability
>>
>> = Description =
>>
>> A vulnerability in Zope may allow a remote attacker to manually
>> shutdown the system.
>>
>> = Observation =
>>
>> The Zope Web Content Management system has been identified with a
>> critical
>> denial of service vulnerability. A malicious attacker could manually
>> shutdown
>> the target system remotely via a custom web HTTP field request. This
>> vulnerability is especially dangerous as the "kill" packet can be
>> completely
>> forged thereby increasing the difficulty when tracking would be
>> intruders and
>> attackers.
>>
>> = Recommendation =
>>
>> Although the Zope development environment is one of the largest and
>> most widely
>> supported open source web content management solutions, it has been
>> plagued with
>> exploitable vulnerabilities. Due to the nature of the software and
>> shear number
>> of vulnerabilities, Foundstone Labs recommends you consider utilizing a
>> different content management solution and at a minimum upgrade your
>> software.
>> Zope updates can be freely downloaded from www.zope.org
>> """
>>
>> Your conclusion here is wrong. This particular "vulnerability" is for
>> Zope
>> installations who offer the ability for *untrusted users* to add code
>> through
>> the web. This is not the default setup; a user needs to explicitly
>> enable such
>> a setup. The conclusion is akin to saying that people should not use Zope
>> because they might do something bad to Zope if they have access to the
>> administrative interface. This is the case with *any* application
>> server or
>> content management system.
>>
>> I'd suggest getting a little more knowledge about your material before
>> scaring
>> folks. The Zope folks do full-disclosure of all vulnerabilities; it's
>> up to you
>> to discern the "scary" ones from the "ho hum" ones. This is definitely
>> a ho-hum
>> one, and in no way deserves this conclusion.
>>
>> On 7/19/09 10:42 PM, Chris McDonough wrote:
>>> I have no idea who "Foundstone Labs" is, nor if the denial of service
>>> vulnerability they're talking about is indeed the one fixed by
>>> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>>>
>>> a) if it is, if you read it closely, you'll note that it's for Zope
>>> instances
>>> where untrusted users have unrestricted access to the ZMI and the
>>> ability to add
>>> Python Scripts. Do you have such a setup?
>>>
>>> b) Zope has historically been *very* secure; this company is utterly,
>>> completely, and hopelessly clueless (nor can they spell "sheer"). If
>>> you want
>>> *real* security horror, I'd suggest taking their advice and
>>> "upgrading" to any
>>> PHP based solution. ;-)
>>>
>>> - C
>>>
>>>
>>> On 7/19/09 10:06 PM, TsungWei Hu wrote:
 I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
 security notice as follows. Is it sufficient to fix this just
 installing
 http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/

 = Name =

 Zope HTTP Request Denial of Service Vulnerability

 = Description =

 A vulnerability in Zope may allow a remote attacker to manually
 shutdown
 the system.

 = Observation =

 The Zope Web Content Management system has been identified with a
 critical denial of service vulnerability. A malicious attacker could
 manually shutdown the target system remotely via a custom web HTTP
 field
 request. This vulnerability is especially dangerous as the "kill"
 packet
 can be completely forged thereby increasing the difficulty when
 tracking
 would be intruders and attackers.

 = Recommendation =

 Although the Zope development environment is one of the largest and
 most
 widely supported open source web content management solutions, it has
 been plagued with exploitable vulnerabilities. Due to the nature of the
 software and shear number of vulnerabilities, Foundstone Labs
 recommends
 you consider utilizing a different content management solution and at

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Ricardo Newbery 

It might be premature to blame this on Foundstone.  I can't seem to  
find this security advisory online at all.  No advisory id was  
included nor any reference at all and the recommendation doesn't look  
at all like what usually comes from a legit advisory.  I smeil a fake.

Ric



On Jul 19, 2009, at 7:55 PM, Chris McDonough wrote:

> I just sent the below via http://www.foundstone.com/us/contact-form.aspx 
>  .  I'd
> suggest that others do the same; this company is totally wrong about  
> this
> conclusion...
>
> You recently issued a security warning to the effect:
>
> """
> = Name =
>
> Zope HTTP Request Denial of Service Vulnerability
>
> = Description =
>
> A vulnerability in Zope may allow a remote attacker to manually  
> shutdown the system.
>
> = Observation =
>
> The Zope Web Content Management system has been identified with a  
> critical
> denial of service vulnerability. A malicious attacker could manually  
> shutdown
> the target system remotely via a custom web HTTP field request. This
> vulnerability is especially dangerous as the "kill" packet can be  
> completely
> forged thereby increasing the difficulty when tracking would be  
> intruders and
> attackers.
>
> = Recommendation =
>
> Although the Zope development environment is one of the largest and  
> most widely
> supported open source web content management solutions, it has been  
> plagued with
> exploitable vulnerabilities. Due to the nature of the software and  
> shear number
> of vulnerabilities, Foundstone Labs recommends you consider  
> utilizing a
> different content management solution and at a minimum upgrade your  
> software.
> Zope updates can be freely downloaded from www.zope.org
> """
>
> Your conclusion here is wrong.  This particular "vulnerability" is  
> for Zope
> installations who offer the ability for *untrusted users* to add  
> code through
> the web.  This is not the default setup; a user needs to explicitly  
> enable such
> a setup. The conclusion is akin to saying that people should not use  
> Zope
> because they might do something bad to Zope if they have access to the
> administrative interface.  This is the case with *any* application  
> server or
> content management system.
>
> I'd suggest getting a little more knowledge about your material  
> before scaring
> folks.  The Zope folks do full-disclosure of all vulnerabilities;  
> it's up to you
> to discern the "scary" ones from the "ho hum" ones. This is  
> definitely a ho-hum
> one, and in no way deserves this conclusion.
>
> On 7/19/09 10:42 PM, Chris McDonough wrote:
>> I have no idea who "Foundstone Labs" is, nor if the denial of service
>> vulnerability they're talking about is indeed the one fixed by
>> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>>
>> a) if it is, if you read it closely, you'll note that it's for Zope  
>> instances
>> where untrusted users have unrestricted access to the ZMI and the  
>> ability to add
>> Python Scripts.  Do you have such a setup?
>>
>> b) Zope has historically been *very* secure; this company is utterly,
>> completely, and hopelessly clueless (nor can they spell "sheer").   
>> If you want
>> *real* security horror, I'd suggest taking their advice and  
>> "upgrading" to any
>> PHP based solution. ;-)
>>
>> - C
>>
>>
>> On 7/19/09 10:06 PM, TsungWei Hu wrote:
>>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
>>> security notice as follows. Is it sufficient to fix this just  
>>> installing
>>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>>>
>>> = Name =
>>>
>>> Zope HTTP Request Denial of Service Vulnerability
>>>
>>> = Description =
>>>
>>> A vulnerability in Zope may allow a remote attacker to manually  
>>> shutdown
>>> the system.
>>>
>>> = Observation =
>>>
>>> The Zope Web Content Management system has been identified with a
>>> critical denial of service vulnerability. A malicious attacker could
>>> manually shutdown the target system remotely via a custom web HTTP  
>>> field
>>> request. This vulnerability is especially dangerous as the "kill"  
>>> packet
>>> can be completely forged thereby increasing the difficulty when  
>>> tracking
>>> would be intruders and attackers.
>>>
>>> = Recommendation =
>>>
>>> Although the Zope development environment is one of the largest  
>>> and most
>>> widely supported open source web content management solutions, it  
>>> has
>>> been plagued with exploitable vulnerabilities. Due to the nature  
>>> of the
>>> software and shear number of vulnerabilities, Foundstone Labs  
>>> recommends
>>> you consider utilizing a different content management solution and  
>>> at a
>>> minimum upgrade your software. Zope updates can be freely downloaded
>>> from www.zope.org
>>>
>>>
>>> 
>>>
>>> ___
>>> Zope maillist  -  Zope@zope.org
>>> http://mail.zope.org/mailma

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Chris McDonough 
I just sent the below via http://www.foundstone.com/us/contact-form.aspx .  I'd 
suggest that others do the same; this company is totally wrong about this 
conclusion...

You recently issued a security warning to the effect:

"""
= Name =

Zope HTTP Request Denial of Service Vulnerability

= Description =

A vulnerability in Zope may allow a remote attacker to manually shutdown the 
system.

= Observation =

The Zope Web Content Management system has been identified with a critical 
denial of service vulnerability. A malicious attacker could manually shutdown 
the target system remotely via a custom web HTTP field request. This 
vulnerability is especially dangerous as the "kill" packet can be completely 
forged thereby increasing the difficulty when tracking would be intruders and 
attackers.

= Recommendation =

Although the Zope development environment is one of the largest and most widely 
supported open source web content management solutions, it has been plagued 
with 
exploitable vulnerabilities. Due to the nature of the software and shear number 
of vulnerabilities, Foundstone Labs recommends you consider utilizing a 
different content management solution and at a minimum upgrade your software. 
Zope updates can be freely downloaded from www.zope.org
"""

Your conclusion here is wrong.  This particular "vulnerability" is for Zope 
installations who offer the ability for *untrusted users* to add code through 
the web.  This is not the default setup; a user needs to explicitly enable such 
a setup. The conclusion is akin to saying that people should not use Zope 
because they might do something bad to Zope if they have access to the 
administrative interface.  This is the case with *any* application server or 
content management system.

I'd suggest getting a little more knowledge about your material before scaring 
folks.  The Zope folks do full-disclosure of all vulnerabilities; it's up to 
you 
to discern the "scary" ones from the "ho hum" ones. This is definitely a ho-hum 
one, and in no way deserves this conclusion.

On 7/19/09 10:42 PM, Chris McDonough wrote:
> I have no idea who "Foundstone Labs" is, nor if the denial of service
> vulnerability they're talking about is indeed the one fixed by
> http://www.zope.org/advisories/advisory-2008-08-12/ but:
>
> a) if it is, if you read it closely, you'll note that it's for Zope instances
> where untrusted users have unrestricted access to the ZMI and the ability to 
> add
> Python Scripts.  Do you have such a setup?
>
> b) Zope has historically been *very* secure; this company is utterly,
> completely, and hopelessly clueless (nor can they spell "sheer").  If you want
> *real* security horror, I'd suggest taking their advice and "upgrading" to any
> PHP based solution. ;-)
>
> - C
>
>
> On 7/19/09 10:06 PM, TsungWei Hu wrote:
>> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
>> security notice as follows. Is it sufficient to fix this just installing
>> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>>
>> = Name =
>>
>> Zope HTTP Request Denial of Service Vulnerability
>>
>> = Description =
>>
>> A vulnerability in Zope may allow a remote attacker to manually shutdown
>> the system.
>>
>> = Observation =
>>
>> The Zope Web Content Management system has been identified with a
>> critical denial of service vulnerability. A malicious attacker could
>> manually shutdown the target system remotely via a custom web HTTP field
>> request. This vulnerability is especially dangerous as the "kill" packet
>> can be completely forged thereby increasing the difficulty when tracking
>> would be intruders and attackers.
>>
>> = Recommendation =
>>
>> Although the Zope development environment is one of the largest and most
>> widely supported open source web content management solutions, it has
>> been plagued with exploitable vulnerabilities. Due to the nature of the
>> software and shear number of vulnerabilities, Foundstone Labs recommends
>> you consider utilizing a different content management solution and at a
>> minimum upgrade your software. Zope updates can be freely downloaded
>> from www.zope.org
>>
>>
>> 
>>
>> ___
>> Zope maillist  -  Zope@zope.org
>> http://mail.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>http://mail.zope.org/mailman/listinfo/zope-announce
>>http://mail.zope.org/mailman/listinfo/zope-dev )
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>   http://mail.zope.org/mailman/listinfo/zope-announce
>   http://mail.zope.org/mailman/listinfo/zope-dev )
>

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/lis

Re: [Zope] HTTP Request Denial of Service Vulnerability

2009-07-19 Thread Chris McDonough 
I have no idea who "Foundstone Labs" is, nor if the denial of service 
vulnerability they're talking about is indeed the one fixed by 
http://www.zope.org/advisories/advisory-2008-08-12/ but:

a) if it is, if you read it closely, you'll note that it's for Zope instances 
where untrusted users have unrestricted access to the ZMI and the ability to 
add 
Python Scripts.  Do you have such a setup?

b) Zope has historically been *very* secure; this company is utterly, 
completely, and hopelessly clueless (nor can they spell "sheer").  If you want 
*real* security horror, I'd suggest taking their advice and "upgrading" to any 
PHP based solution. ;-)

- C


On 7/19/09 10:06 PM, TsungWei Hu wrote:
> I have a Plone 3.2.3 site that runs with Zope 2.10.8 and receive a
> security notice as follows. Is it sufficient to fix this just installing
> http://www.zope.org/Products/Zope/Hotfix-2008-08-12 ? Thanks, /marr/
>
> = Name =
>
> Zope HTTP Request Denial of Service Vulnerability
>
> = Description =
>
> A vulnerability in Zope may allow a remote attacker to manually shutdown
> the system.
>
> = Observation =
>
> The Zope Web Content Management system has been identified with a
> critical denial of service vulnerability. A malicious attacker could
> manually shutdown the target system remotely via a custom web HTTP field
> request. This vulnerability is especially dangerous as the "kill" packet
> can be completely forged thereby increasing the difficulty when tracking
> would be intruders and attackers.
>
> = Recommendation =
>
> Although the Zope development environment is one of the largest and most
> widely supported open source web content management solutions, it has
> been plagued with exploitable vulnerabilities. Due to the nature of the
> software and shear number of vulnerabilities, Foundstone Labs recommends
> you consider utilizing a different content management solution and at a
> minimum upgrade your software. Zope updates can be freely downloaded
> from www.zope.org 
>
>
> 
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>   http://mail.zope.org/mailman/listinfo/zope-announce
>   http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )